Security in Office 365 is always a hot topic. Not only does the platform lead the way when it comes to certifications and compliance, as we shall see later, but it uses a multi-layered approach that guarantees the highest levels of protection.
Yet, as it's a cloud product, many people still question just how secure the platform is, so in this post we’re going to take an in-depth look at the various levels of security Office 365 offers. From the base service level, to controls at an application level, and the formal certifications Microsoft have been awarded.
Service Level Security
Microsoft is an industry leader in cloud security with policies and controls that match those required for even the most sophisticated organizations. According to Microsoft Office 365 uses:
“... a defence in depth strategy that protects your data through layers of security – the physical, logical, and data layers. Microsoft’s Office 365 security strategy also involves methods of detecting, preventing and mitigating a security breach before it happens.”
This process involves a number of features, including:
Perimeter vulnerability scanning
Operating system security patching
Network-level DDOS (distributed denial-of-service) detection and prevention
Multi-factor authentication for service access
Security Customer Controls
Each separate application in Office 365 has its own security controls, known as ‘Security Customer Controls’ by Microsoft. These technologies include:
Secure Multipurpose Internet Mail Extension (S/MIME)
Office 365 Message Encryption
Transport Layer Security (TLS) for SMTP messages to partners
So within a particular app, like OneDrive for Business, access and security can be controlled independently, i.e. a certain subset of folders or files can be shared with specific users.
Privacy by Design
When data is added to Office 365 - say to a SharePoint team site or files uploaded to OneDrive for Business - you remain the sole owner and retain the rights, title and interest in the data you store in the stack. Microsoft maintains the privacy of the data and they operate on the below principles.
Data is not mined for the advertisement or for any other purpose but for the service you're paying for.
Whenever you terminate the contract the data is available to you with full fidelity.
You'll have all the information on the data right from where it resides to who has access to it.
Access to your data is strictly limited, non-destructive, logged and audited.
Privacy Customer controls
Office 365 enables users to collaborate with tools while also providing the ability to control how information is shared and by whom. This includes:
Privacy controls for sites, libraries and folders
Privacy controls for communications
There are similar Privacy Control features available in each Office 365 application. For instance, in SharePoint you can have specific rights managements for users on particular lists and libraries. For Yammer, you can restrict the visibility of posts to certain users if you so wish. OneDrive will share the documents only with the particular users if you choose to.
The Microsoft cloud infrastructure is one of the biggest in the world, and constantly growing. As a result, it has to meet strict compliance obligations and independent audits. Microsoft offers something they call ‘Continuous compliance’, which ensures Office 365 is always up to date with the necessary IT standards and regulations.
Office 365 has obtained independent verification for the following:
Obtained ISO 27001 and SSAE16 SOC 1 (Type II) Audit Verification
Received the ability to transfer data outside the EU with the U.S.-EU Safe Harbor Framework and EU Model Clauses
Signed the HIPAA Business Associate Agreement (BAA) with All Customers
Received authority to operate from U.S. federal agency under FISMA
Disclosed security measures through the Cloud Security Alliance Public Registry
Security at the center
Office 365 security can be compared to an onion - it’s got layer upon layer designed to protect your organization’s data.
Microsoft have gone to considerable lengths to protect their reputation as a provider of a secure service and we think this is commendable. It gives the admins who manage security, end users who use the stack and the customers whose data you hold, the confidence that your information is safe and secure.
Most importantly, Microsoft do not sit on their laurels, and are instead constantly looking for ways to improve security, so end users can have peace of mind.